Threat Condition Management

ABSTRACT

Methods, products, apparatuses, and systems may manage a threat condition. A plurality of triggers may be identified over a period of time. Each of the triggers may be associated with a threat risk value. An accumulation value may be determined based on an aggregation of each threat risk value over the period of time. A set of progressive threshold values associated with a set of progressive threat conditions may be defined. A threat condition from the set of threat conditions may be established for the device based on the accumulation value. The threat condition may be managed, for example by defining an operational mode for the device, in response to the threat condition.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a Continuation of currently pending U.S. patentapplication Ser. No. 14/014,034 filed on Aug. 29, 2013, currentlyallowed. The application identified above is incorporated herein byreference in its entirety for all that it contains in order to providecontinuity of disclosure.

BACKGROUND

Embodiments of the present invention generally relate to managing athreat condition. More particularly, embodiments relate to identifying aplurality of triggers over a period of time associated with a threatrisk value and determining an accumulation value based on an aggregationof the threat risk values, wherein a threat condition may be establishedbased on the accumulation value and the threat condition may be managedby defining an operational condition.

The management of a threat condition for a device may involve an extremebinary security response, such as immediately locking the device when anerror is identified (e.g., failed login attempt). In addition, a requestto the device from a user may be required to manage the threatcondition. Moreover, a response to a security prompt (e.g., request toenter a password) by the user may be required to reverse the securityresponse. Accordingly, the user may experience delay and/orinconvenience when managing a threat condition.

BRIEF SUMMARY

Embodiments may include a method involving identifying a plurality oftriggers including a suspicion trigger and a calming trigger over aperiod of time, wherein each of the triggers are to be associated with athreat risk value. The method may include determining an accumulationvalue based on an aggregation of each threat risk value over the periodof time. In addition, method may include defining a set of progressivethreshold values to be associated with a set of progressive threatconditions, wherein a threat condition from the set is to be establishedfor the device based on the accumulation value. The method may includemanaging the threat condition, wherein an operational mode for a deviceis to be defined in response to the threat condition

Embodiments may include a method involving identifying a plurality oftriggers over a period of time, wherein the plurality of triggersinclude a suspicion trigger to indicate suspicious activity for a deviceand a calming trigger to indicate calming activity for the device, andwherein each of the triggers are associated with a threat risk value.The method may include determining an accumulation value based on anaggregation of each threat risk value over the period of time, whereinthe threat risk value includes a departure risk value causing theaccumulation value to depart from a safe condition value stored and areversion risk value causing the accumulation value to revert towardsthe safe condition value. In addition, the method may include defining aset of progressive threshold values associated with a set of progressivethreat conditions, wherein a threshold value from the set includes oneor more of a moderate threshold value and an elevated threshold value,and wherein a threat condition from the set is established for thedevice based on the accumulation value. The method may also includemanaging the threat condition by defining an operational mode for thedevice in response to the threat condition.

The method may include determining a correlation among two or more ofthe triggers and/or applying a weight factor to the accumulation valuebased on the correlation. The method may include determining atransition across the threshold value from the set by the accumulationvalue to establish the threat condition and/or modifying the thresholdvalue from the set based on a risk profile, wherein the risk profileaccounts for a device used, a usage context, and/or a usage location.The method may include maintaining a current operational mode when athreshold value is not crossed and/or modulating the current operationalmode when the threshold value is crossed, wherein the currentoperational mode includes a fully operational mode, a partiallyoperational mode, and/or a fully inoperable mode. The method may includesetting the accumulation value to be a limit value independently of aprevious value of the accumulation value and/or setting the accumulationvalue when a trigger persists for a time duration.

Embodiments may include a computer program product having a computerreadable storage medium and computer usable code stored on the computerreadable storage medium. If executed by a processor, the computer usablecode may cause a computer to identify a plurality of triggers over aperiod of time, wherein each of the triggers are to be associated with athreat risk value. The computer usable code, if executed, may also causea computer to determine an accumulation value based on an aggregation ofeach threat risk value over the period of time. The computer usablecode, if executed, may also cause a computer to define a set ofprogressive threshold values to be associated with a set of progressivethreat conditions, wherein a threat condition from the set is to beestablished for the device based on the accumulation value. The computerusable code, if executed, may also cause a computer to manage the threatcondition, wherein an operational mode for a device is to be defined inresponse to the threat condition.

Embodiments may include a computer program product having a computerreadable storage medium and computer usable code stored on the computerreadable storage medium. If executed by a processor, the computer usablecode may cause a computer identify a plurality of triggers over a periodof time, wherein the plurality of triggers are to include a suspiciontrigger to indicate suspicious activity for a device and a calmingtrigger to indicate calming activity for the device, and wherein each ofthe triggers are to be associated with a threat risk value. The computerusable code, if executed, may also cause a computer to determine anaccumulation value based on an aggregation of each threat risk valueover the period of time, wherein the threat risk value is to include adeparture risk value to cause the accumulation value to depart from asafe condition value and a reversion risk value to cause theaccumulation value to revert towards the safe condition value. Thecomputer usable code, if executed, may also cause a computer to define aset of progressive threshold values to be associated with a set ofprogressive threat conditions, wherein a threshold value from the set isto include one or more of a moderate threshold value and an elevatedthreshold value, and wherein a threat condition from the set is to beestablished for the device based on the accumulation value. The computerusable code, if executed, may also cause a computer to manage the threatcondition, wherein an operational mode for the device is to be definedin response to the threat condition.

The computer usable code, if executed, may also cause a computer todetermine a correlation among two or more of the triggers and/or apply aweight factor to the accumulation value based on the correlation. Thecomputer usable code, if executed, may also cause a computer todetermine a transition across the threshold value from the set by theaccumulation value to establish the threat condition and/or modify thethreshold value from the set based on a risk profile, wherein the riskprofile is to account for a device to be used, a usage context, and/or ausage location. The computer usable code, if executed, may also cause acomputer to maintain a current operational mode when a threshold valueis not crossed and/or modulate the current operational mode when thethreshold value is crossed, wherein the current operational modeincludes a fully operational mode, a partially operational mode, and/ora fully inoperable mode. The computer usable code, if executed, may alsocause a computer to set the accumulation value to be a limit valueindependently of a previous value of the accumulation value and/or toset the accumulation value when a trigger is to persist for a timeduration.

Embodiments may include an apparatus including a processor to identify aplurality of triggers over a period of time, wherein each of thetriggers are to be associated with a threat risk value. The apparatusmay include a processor to determine an accumulation value based on anaggregation of each threat risk value over the period of time. Theapparatus may include a processor to define a set of progressivethreshold values to be associated with a set of progressive threatconditions, wherein a threat condition from the set is to be establishedfor the device based on the accumulation value. The apparatus mayinclude a processor to manage the threat condition, wherein anoperational mode for a device is to be defined in response to the threatcondition.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

The various advantages of the embodiments of the present invention willbecome apparent to one skilled in the art by reading the followingspecification and appended claims, and by referencing the followingdrawings, in which:

FIG. 1 is a block diagram of an example of a scheme to manage a threatcondition according to an embodiment;

FIG. 2 is a block diagram of an example of an architecture includinglogic to manage a threat condition according to an embodiment;

FIG. 3 is a flowchart of an example of a method to manage a threatcondition according to an embodiment;

FIG. 4 is a flowchart of an example of a method to manage a threatcondition according to an embodiment; and

FIG. 5 is a block diagram of an example of a computing device accordingto an embodiment.

DETAILED DESCRIPTION

As will be appreciated by one skilled in the art, aspects of the presentinvention may be embodied as a system, method or computer programproduct. Accordingly, aspects of the present invention may take the formof an entirely hardware embodiment, an entirely software embodiment(including firmware, resident software, micro-code, etc.) or anembodiment combining software and hardware aspects that may allgenerally be referred to herein as a “circuit,” “module” or “system.”Furthermore, aspects of the present invention may take the form of acomputer program product embodied in one or more computer readablemedium(s) having computer readable program code embodied thereon.

Any combination of one or more computer readable medium(s) may beutilized. The computer readable medium may be a computer readable signalmedium or a computer readable storage medium. A computer readablestorage medium may be, for example, but not limited to, an electronic,magnetic, optical, electromagnetic, infrared, or semiconductor system,apparatus, or device, or any suitable combination of the foregoing. Morespecific examples (a non-exhaustive list) of the computer readablestorage medium would include the following: an electrical connectionhaving one or more wires, a portable computer diskette, a hard disk, arandom access memory (RAM), a read-only memory (ROM), an erasableprogrammable read-only memory (EPROM or Flash memory), an optical fiber,a portable compact disc read-only memory (CD-ROM), an optical storagedevice, a magnetic storage device, or any suitable combination of theforegoing. In the context of this document, a computer readable storagemedium may be any tangible medium that can contain, or store a programfor use by or in connection with an instruction execution system,apparatus, or device.

A computer readable signal medium may include a propagated data signalwith computer readable program code embodied therein, for example, inbaseband or as part of a carrier wave. Such a propagated signal may takeany of a variety of forms, including, but not limited to,electro-magnetic, optical, or any suitable combination thereof. Acomputer readable signal medium may be any computer readable medium thatis not a computer readable storage medium and that can communicate,propagate, or transport a program for use by or in connection with aninstruction execution system, apparatus, or device.

Program code embodied on a computer readable medium may be transmittedusing any appropriate medium, including but not limited to wireless,wireline, optical fiber cable, RF, etc., or any suitable combination ofthe foregoing.

Computer program code for carrying out operations for aspects of thepresent invention may be written in any combination of one or moreprogramming languages, including an object oriented programming languagesuch as Java, Smalltalk, C++ or the like and conventional proceduralprogramming languages, such as the “C” programming language or similarprogramming languages. The program code may execute entirely on theuser's computer, partly on the user's computer, as a stand-alonesoftware package, partly on the user's computer and partly on a remotecomputer or entirely on the remote computer or server. In the latterscenario, the remote computer may be connected to the user's computerthrough any type of network, including a local area network (LAN) or awide area network (WAN), or the connection may be made to an externalcomputer (for example, through the Internet using an Internet ServiceProvider).

Aspects of the present invention are described below with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems) and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer program instructions. These computer program instructions maybe provided to a processor of a general purpose computer, specialpurpose computer, or other programmable data processing apparatus toproduce a machine, such that the instructions, which execute via theprocessor of the computer or other programmable data processingapparatus, create means for implementing the functions/acts specified inthe flowchart and/or block diagram block or blocks.

These computer program instructions may also be stored in a computerreadable medium that can direct a computer, other programmable dataprocessing apparatus, or other devices to function in a particularmanner, such that the instructions stored in the computer readablemedium produce an article of manufacture including instructions whichimplement the function/act specified in the flowchart and/or blockdiagram block or blocks.

The computer program instructions may also be loaded onto a computer,other programmable data processing apparatus, or other devices to causea series of operational steps to be performed on the computer, otherprogrammable apparatus or other devices to produce a computerimplemented process such that the instructions which execute on thecomputer or other programmable apparatus provide processes forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks.

Referring now to FIG. 1, a scheme 12 is shown to manage a threatcondition according to an embodiment. The illustrated scheme 12 includesa device 14, which may include any platform. In one example, theplatform may include a mobile computing platform such as a smart phone,a notebook, a tablet, and so on, or combinations thereof. In anotherexample, the platform may include a fixed computing platform, such as adesktop computer, a server, an automatic transfer machine, a kiosk, agaming console, and so on, or combinations thereof. The illustrateddevice 14 includes an image capture device 16 (e.g., a camera) and adisplay 18 (e.g., a touchscreen). Accordingly, the device 14 may includea sensor, such as the image capture device 16 (e.g., a two-dimensionalcamera, a three-dimensional camera, etc.), the display 18 (e.g., acapacitive touch screen, a resistive touch screen, etc.), a globalpositioning system (GPS), an accelerometer, a gyroscope, a microphone, acommunication interface (e.g., WiFi, Bluetooth, Cellular, etc.) and soon, or combinations thereof. In the illustrated example, a fullyoperational mode 20 is defined for the device 14, wherein no functionalcapability of the device 14 is to be limited, suspended, and so on, orcombinations thereof

The illustrated scheme 12 may also include a risk assessment tool 22.The risk assessment tool may include any data structure format. Forexample, the risk assessment tool 22 may include a database table. Thedatabase table may include any arrangement (e.g., combinations,locations, etc.) of any element described herein, such as a trigger, athreat risk value, an accumulation value, a threshold value, a threatcondition, an operational capability, a correlation, a security action,a usage pattern, and so on, or combinations thereof. In one example, acounter may be implemented to update an element of the database table,such as the accumulation value, and so on. For the purpose ofillustration, the risk assessment tool 22 includes a graduatedone-dimensional Cartesian coordinate scale having a positive coordinate(e.g., 0 to 15 in one axis). It should be understood that any scale maybe utilized, including a one-dimensional Cartesian coordinate scalehaving a negative coordinate and a positive coordinate (e.g., −15 to 15in one axis), a three-dimensional Cartesian coordinate scale havingcoordinates in three dimensions (e.g., X, Y, Z coordinates), a Polarcoordinate scale having a radial coordinate and an angular coordinate,and so on, or combinations thereof.

In the illustrated example, the fully operational mode 20 is defined forthe device 14. For example, the device 14 may be newly deployed, acounter may be reset and/or reflect a specific value associated with thefully operational mode 20, the device 14 may be held by an owner (e.g.,administrator, purchaser, assigned user, etc.) where no threat has beenperceived by the device 14, and so on, or combinations thereof.Accordingly, a current user may utilize the device 14 to leverage thefull functional capabilities of the device 14. A plurality of triggersmay be identified over a period of time, such as minutes, days, weeks,and so on, or combinations thereof. The plurality of triggers mayinclude a suspicion trigger to indicate suspicious activity for thedevice 14. The suspicion trigger may be generated and/or implementedautomatically, for example independently of a request (e.g., from theowner, etc.) for a security status related to the device 14. Forexample, the suspicion trigger may be generated automatically inresponse to a departure from an established usage pattern. Theestablished usage pattern may include a geospatial travel pattern, ageospatial location pattern, a device handling pattern, a communicationpattern, a short message service pattern, an audio pattern, a userrecognition pattern, and so on, or combinations thereof.

In one example, the GPS system of the device 14 may be utilized toindicate that the device 14 is deviating from an established (e.g.,normal, typical, usual, etc.) geospatial travel area and/or geospatialtravel route (e.g., an established travel route for a work day, anestablished travel route for a leisure day, an established travel routefor a time of day, etc.), that the device 14 is deviating from anestablished geospatial location (e.g., an established location for awork day, an established location for a leisure day, an establishedlocation for a time of day, etc.), and so on, or combinations thereof.In another example, the communication interface of the device 14 may beutilized to indicate that the device 14 is deviating from an establishedcommunication pattern, such as a type and/or frequency of incoming call(e.g., public switched telephone network calls, voice over internetprotocol calls, etc.), a type and/or frequency of incoming messages(e.g., instant messages, electronic mail messages, short message servicetext, etc.), a type and/or frequency of outgoing calls, a type and/orfrequency of outgoing messages, a connection with a device such as aBluetooth device (e.g., a Bluetooth ear bud, a Bluetooth keypad, aBluetooth mouse, etc.), a connection with a network such as a WiFinetwork (e.g., a WiFi hotspot, etc.), a connection with a cellularcarrier (e.g., a telecommunications provider), and so on, orcombinations thereof.

The accelerometer and/or the gyroscope of the device 14 may be utilizedto indicate that the device 14 is deviating from an established devicehandling pattern, such as a gait of a walk of the current user when theuser possesses the device 14 (e.g., when in the user's hands, when in apocket, etc.), the manner in which the device 14 is treated by the user(e.g., rough, gentile, etc.), the manner in which the device 14 is held(e.g., right handed, left handed, in a pocket, in a purse, etc.), and soon, or combinations thereof. In one example, a combination of GPS dataand accelerometer data may be utilized to indicate that the device 14 isdeviating from an established hybrid pattern, such as a hybrid leisureactivity pattern (e.g., current pattern including running in a parkrather than an established pattern of walking in a park, etc.), a hybridwork pattern (e.g., current pattern including being carried at highspeed in an automobile during work hours rather than an establishedpattern of no high speed acceleration during work hours, etc.). Themicrophone of the device 14 may be utilized to indicate that the device14 is deviating from an established audio pattern, such as a proximityof a voice to the device 14, background noise, and so on, orcombinations thereof.

The microphone of the device 14 may also be utilized to indicate thatthe device 14 is deviating from an established user recognition pattern,such as a pitch of a voice, a tone of the voice, linguistics, phonetics,and so on, or combinations thereof. The image capture device 16 may alsobe utilized to indicate that the device 14 is deviating from anestablished user recognition pattern, such as an image of the user(e.g., facial recognition, eye recognition, etc.), an image of thesurroundings, and so on, or combinations thereof. The display 18 mayalso be utilized to indicate that the device 14 is deviating from anestablished user recognition pattern, such as a finger print pattern, apalm print pattern, and so on, or combinations thereof. In one example,the microphone, the image capture device 16, and/or the display 18 maybe utilized without causing the current user of the device 14 to becomeaware (e.g., to silently collect data) of the data collection. Forexample, the display 18 may silently (e.g., unintrusively) collect afinger print scan and/or palm print scan when the user is holding thedevice 14 without causing the user to become aware that the scan isexecuted.

Is should be understood that the suspicion trigger may indicate anysuspicious activity and/or may be generated in response to a departurefrom any established pattern. For example, the suspicion trigger may begenerated in response to a deviation from an application pattern (e.g.,applications used), a music pattern (e.g., music requested), a videopattern (e.g., videos requested), and so on, or combinations thereof.Accordingly, any unusual usage of the device 14 (e.g., unusual mediacontent pattern) may generate suspicion. It should also be understoodthat any sensor may provide data to generate and/or implement anytrigger, such as a climate sensor to provide temperature data, weatherdata, and so on, or combinations thereof. Moreover, it should beunderstood that the device 14 may implement any unintrusive operation,such as silently forwarding any data to any party (e.g., forwarding thefinger print scan to law enforcement, a current location to the owner, aphotograph of the current user, etc.).

The plurality of triggers may also include a calming trigger to indicatecalming activity for the device 14. The calming trigger may be generatedand/or implemented automatically, for example independently of asecurity prompt (e.g., a password test, etc.) to the current user of thedevice 14. In one example, the calming trigger may be generated based ona disappearance of the suspicion trigger. The suspicion trigger may, forexample, be implemented as the calming trigger if the suspicion triggerdisappears for a preset amount of time to indicate stability for thedevice 14. For example, the GPS sensor of the device 14 may be utilizedto indicate that the device 14 is in an established geospatial travelpattern for thirty minutes before the suspicion trigger may beimplemented as the calming trigger. The suspicion trigger may beimplemented as the calming trigger, for example, by causing an oppositeeffect which may be caused by the suspicion trigger (e.g., subtractpoints where the effect of the suspicion trigger is to add points,etc.). In addition, the effect of the suspicion trigger may be held(e.g., do not add points immediately, etc.) for the preset amount oftime, the suspicion trigger may be implemented immediately to cause theeffect which may be subsequently countered when the suspicion trigger isimplemented as the calming trigger, and so on, or combinations thereof.

In another example, the calming trigger may be generated and/orimplemented automatically based on an encounter of the calming activity,such as a reversion towards an established usage pattern, such as thegeospatial travel pattern, the geospatial location pattern, the devicehandling pattern, the communication pattern, the short message servicepattern, the audio pattern, the user recognition pattern, theapplication usage pattern, the music usage pattern, and so on, orcombinations thereof. For example, the GPS sensor of the device 14 maybe utilized to indicate that the device 14 is in (e.g., reverted backto, etc.) an established geospatial travel pattern, the microphone ofthe device 14 may be utilized to indicate that the proximity of thevoice to the device 14 matches (e.g., reverted back to, etc.) anestablished proximity pattern of the owner, and so on, or combinationsthereof. It should be understood that while the calming activity mayinclude a response to a security prompt (e.g., a password in response toa test, etc.), it is not a required calming trigger for the managementof the threat condition. Indeed, the calming trigger may dynamicallycounteract the effect of the suspicion trigger for the device 14, andvice versa, independently of a security status request, a prompt, and soon, or combinations thereof. The plurality of triggers may, for example,be generated and/or implemented silently, synchronously, noninvasively,unintrusively (as desired), and so on, or combinations thereof.

Each of the triggers may be associated with a threat risk value. Thethreat risk value may include any value format, such as a relativethreat risk value, a numerical threat risk value, and so on, orcombinations thereof. In one example, the relative threat risk value mayinclude the value “low”, “medium”, “high”, and so on, or combinationsthereof. In another example, the numerical threat risk value may includea negative integer (e.g., −1 point, −2 points, −30 degrees, etc.), apositive integer, (e.g., 1 point, 2 points, 30 degrees, etc.), and soon, or combinations thereof. In the illustrated example, the suspiciontrigger includes a departure risk value defined by a positive integer(e.g., a positive point value) and the calming trigger includes areversion risk value defined by a negative integer (e.g., a negativepoint value), which may be based on the format of the risk assessmenttool 22 (e.g., a one-dimensional Cartesian scale starting at the valuezero and ending at the value fifteen).

An accumulation value 24 may be determined based on an aggregation ofeach threat risk value over a period of time. Accordingly, theaccumulation value 24 may include any value format, such as a relativeaccumulation value, a numerical accumulation value, and so on, orcombinations thereof. In one example, the relative accumulation valuemay include the value “low”, “medium”, “high”, and so on, orcombinations thereof. In another example, the numerical accumulationvalue may include a negative integer (e.g., −1 point, −2 points, −30degrees, etc.), a positive integer, (e.g., 1 point, 2 points, 30degrees, etc.), and so on, or combinations thereof. The aggregation mayinclude a sum, an average, a mean, a maximum, a minimum, first, last,standard deviations, and so on, or combinations thereof. In theillustrated example, the accumulation value 24 is determined to be theinteger value zero (0). A counter may be maintained for the accumulationvalue 24, for example in data storage, data memory, and so on, orcombinations thereof. Accordingly, the counter may read zero (0) in theillustrated example. It should be understood that the accumulation value24 may include a range of values, a single value (as illustrated), andso on, or combinations thereof

The accumulation value 24 may be adjusted by each threat risk value, forexample via the aggregation thereof. The accumulation value 24 may alsobe modified by a weight factor. In one example, the weight factor may bebased on a correlation among two or more of the triggers. For example,triggers may correlate in temporal scope (e.g., occurring within aminute, an hour, etc.), in geographic scope (e.g., an unusual WiFihotspot within an unusual geospatial travel path, etc.), in usage scope(e.g., left hand rough usage, right hand gentile usage, etc.), inrecognition scope (e.g., facial image mismatch, voice pitch mismatch,etc.), in type scope (e.g., suspicion, calming, etc.). In one example,multiple correlating suspicion triggers may cause a multiplicationweight factor to be applied to modify the accumulation value 24 insteadof, for example, merely adding the threat risk values since thecorrelation indicates relatively greater confidence than a singlesuspicion trigger. In another example, multiple correlating calmingtriggers may cause a multiplication weight factor to be applied tomodify the accumulation value 24 instead of, for example, merelysubtracting the threat risk values since the correlation indicatesrelatively greater confidence than a single calming trigger.

In the illustrated example, a set of progressive threshold values 26, 28are defined, which may be based on the format of the risk assessmenttool 22. The threshold values 26, 28 may include any value format, suchas a relative threshold value, a numerical threshold value, and so on,or combinations thereof. In one example, the relative threshold valuemay include the value “minimal”, “moderate”, “elevated”, and so on, orcombinations thereof. In another example, the numerical threshold valuemay include a negative integer (e.g., −1 point, −2 points, −30 degrees,etc.), a positive integer, (e.g., 1 point, 2 points, 30 degrees, etc.),and so on, or combinations thereof. In the illustrated example, thethreshold value 26 includes a moderate threshold value and the thresholdvalue 28 includes an elevated threshold value, wherein the thresholdvalue 26 is defined by a positive integer value five (5) and thethreshold value 28 is defined by a positive integer value ten (10). Thethreshold values 26, 28 may be progressive since they may include thesame units (e.g., points), may be graduated, may be hierarchical, may besuccessive, and so on, or combinations thereof. It should be understoodthat the threshold values 26, 28 may include a range of values, a singlevalue (as illustrated), and so on, or combinations thereof. It shouldalso be understood that any number of incremental threshold values maybe implemented.

The illustrated threshold values 26, 28 may be modified at any time. Forexample, the threshold values 26, 28 may be modified based on a riskprofile. In one example, the risk profile may account for a device to beused. The risk profile may define, for example, that a mobile platformmay be considered to be at a higher security risk relative to a fixedplatform, a smart phone may be considered to be at higher risk relativeto a standalone camera, and so on, or combinations thereof. In anotherexample, the risk profile may account for a usage context. The riskprofile may define, for example, that a work platform used foremployment activities may be considered to be at higher risk relative toa personal platform used for leisure activities, a notebook usedprimarily for non-gaming activities may be considered to be at higherrisk relative to a gaming console used primarily for gaming activities,and so on, or combinations thereof. The risk profile may also accountfor a usage location. The risk profile may define, for example, that aplatform used in a secure location (e.g., home, office, etc.) may beconsidered at lower risk relative to a public location (e.g., a coffeestore, a shopping plaza, etc.), and so on. Accordingly, the thresholdvalues 26, 28 may be modified based on the risk profile (e.g., increasevalues for a mobile platform, decrease values for a fixed platform,etc.).

In the illustrated example, the set of progressive threshold values 26,28 are associated with a set of progressive threat conditions. Thethreat conditions may be defined by any value format, such as a relativethreat condition value, a numerical threat condition value, and so on,or combinations thereof. In one example, the relative threat conditionvalue may include the value “safe”, “undetermined”, “suspicious”,“compromised”, “lost”, “stolen”, and so on, or combinations thereof. Inanother example, the numerical threat condition value may include anegative integer (e.g., −1 point, −2 points, −30 degrees, etc.), apositive integer, (e.g., 1 point, 2 points, 30 degrees, etc.), and soon, or combinations thereof. In the illustrated example, the set ofprogressive threat conditions includes a safe condition, a suspicioncondition, and a compromised condition (which may include a lostcondition and/or a stolen condition), wherein the safe condition isdefined by a positive integer value region from a limit value (e.g.,boundary) of the risk assessment tool (e.g., zero) to the thresholdvalue 26 (e.g., five), wherein the suspicious condition is defined by apositive integer value region from the threshold value 26 (e.g., five)to the threshold value 28 (e.g., ten), and wherein the compromisedcondition is defined by a positive integer value region from thethreshold value 28 (e.g., ten) to another limit value (e.g., boundary)of the risk assessment tool 22 (e.g., fifteen).

Accordingly, the threshold value 26 (e.g., a moderate threshold valuefive) may separate the safe condition value region and the suspiciouscondition value region. In addition, an elevated threshold value (e.g.,an elevated threshold value of ten) may separate the suspiciouscondition value region and one or more of a lost condition value regionand a stolen condition value region. Moreover, the threat conditions maybe progressive since they may include the same units (e.g., points), maybe graduated, may be hierarchical, may be successive, and so on, orcombinations thereof. It should be understood that the threat conditionsmay include a range of values (as illustrated), a single value, and soon, or combinations thereof. It should also be understood that anynumber of threat conditions may be implemented.

In the illustrated example, a suspicion trigger 30 is encountered. Thesuspicion trigger 30 includes a departure risk value to cause theaccumulation value 24 to depart from a safe condition value zero (0) toanother safe condition value one (1). The magnitude of the departure maybe predetermined (e.g., configured, preset, etc.), may be based on aseverity ascribed to the suspicion trigger 30, and so on, orcombinations thereof. For example, the threat risk value associated withthe suspicion trigger 30 is a positive integer value one (1) in theillustrated example, which may be predetermined for the suspiciontrigger 30 to indicate relatively unimportant security activity (e.g., arelatively minor deviation from an established travel path, a newBluetooth device, etc.). Accordingly, the threat risk value associatedwith the suspicion trigger 30 may be added to the accumulation value 22,which causes the accumulation value 22 to depart from a safe conditionvalue zero (0) to a safe condition value one (1). In addition, thecounter maintaining the accumulation value 22 may be updated to read one(1).

The threat condition for the device 14 may be established based on theaccumulation value 24. In the illustrated example, the threat conditionmay be established as the safe condition. For example, the absence of atransition across the threshold values 26, 28 may be determined based onthe change in value of the accumulation value 24, based on the finaltotal value of the accumulation value 24, based on the appearance of theaccumulation value 24 in the safe condition value region, and so on, orcombinations thereof. In the illustrated example, the threat conditionis established as the safe condition since the accumulation value 24 hasnot crossed the threshold values 26, 28 and remains in the safecondition value region. The safe threat condition may be managed bydefining an operational mode for the device 14 in response to the safethreat condition. For example, a security action may be performed todefine the operational mode. The security action may include, forexample, maintaining the current operational mode, modulating thecurrent operational mode, and so on, or combinations thereof. In theillustrated example, the operational mode is maintained and defined asthe fully operational mode 20.

A suspicion trigger 32 is encountered in the illustrated example. Thesuspicion trigger 32 includes a departure risk value to cause theaccumulation value 24 to depart from a safe condition value one (1) to asuspicious condition value six (6). The magnitude of the departure maybe predetermined (e.g., configured, preset, etc.), may be based on aseverity ascribed to the suspicion trigger 32, and so on, orcombinations thereof. For example, the threat risk value associated withthe suspicion trigger 32 is a positive integer value five (5) in theillustrated example, which may be predetermined for the suspiciontrigger 32 to indicate moderately severe security activity (e.g., amoderately severe deviation from an established travel path, a deviationfrom a work pattern, etc.). Accordingly, the threat risk valueassociated with the suspicion trigger 32 may be added to theaccumulation value 24, which causes the accumulation value 24 to departfrom a safe condition value one (1) to a suspicion condition value six(6). In addition, the counter maintaining the accumulation value 24 maybe updated to six (6). Accordingly, multiple triggers, such as thesuspicion triggers 30, 32, may be sufficient to cross a threshold suchas the threshold values 26.

The threat condition for the device 14 may be established based on theaccumulation value 24. In the illustrated example, the threat conditionmay be established as the suspicious condition, wherein a transitionacross only the threshold value 26 is determined based on theaccumulation value 24. For example, a transition across only thethreshold value 26 may be determined based on the change in value of theaccumulation value 24, based on the final total value of theaccumulation value 24, based on the appearance of the accumulation value24 in the suspicious condition value region, and so on, or combinationsthereof. In the illustrated example, the threat condition is establishedas the suspicious condition since the accumulation value 24 has onlycrossed the threshold value 26 and remains in the suspicious conditionvalue region. The suspicious threat condition may indicate, for example,that the device 14 is perceived to be at a relatively modest risk ofbeing compromised, such as hacked, lost, stolen, and so on, orcombinations thereof.

The suspicious threat condition may be managed by defining anoperational mode for the device 14 in response to the suspicious threatcondition. For example, a security action may be performed to define theoperational mode. The security action may include, for example,maintaining the current operational mode, modulating the currentoperational mode, and so on, or combinations thereof. In the illustrateexample, the operational mode is defined as a partially operational mode34. In one example, the fully operational mode 20 may be modulated(e.g., changed) to the partially operational mode 34 since theaccumulation value 24 transitions across only the threshold value 26 toestablish the suspicious threat condition.

There may be a limit on a functional capability of the device 14 as aresult of the partially operational mode 34. For example, acommunication capability may be limited, such as limiting the durationof a long-distance call, the duration of an out-of-carrier call, thesize of a data download, the type of data to be download (e.g., audio,video, etc.), the connection to a WiFi hotspot, the connection to aBluetooth device, the connection to a telecommunication carrier, and soon, or combinations thereof. The device usage capability may be limited,for example, by limiting access to an application (e.g., social mediaapplications, electronic mail applications, etc.), to a file (e.g.,music files, image files, video files, contact lists, etc.), to a website, to a bookmark, to a favorite, to a text message, to a voice mail,to a calendar, and so on, or combinations thereof. The partiallyoperational mode 34 may, in another example, include not limiting anyfunctional capability, may include enhanced data collection and/orprocessing (e.g., more frequent sampling window, more types ofsuspicious activities to be included, additional threshold values,etc.), and so on, or combinations thereof. Accordingly, there may bemultiple varying modes of partial operation, such as a range of levelsfrom a level 1 partially operational mode (e.g., least relativelylimited partially operational mode) to a level 10 partially operationalmode (e.g., most relatively limited partially operational mode)including varying degrees of limit to the communication capability, thedevice usage capability, enhanced data collection and/or processing, andso on, or combinations thereof.

A suspicion trigger 36 is encountered in the illustrated example. Thesuspicion trigger 36 includes a departure risk value to cause theaccumulation value 24 to depart from a suspicious condition value six(6) (e.g., in a direction away from any value in the safe conditionvalue range) to a compromised condition value fourteen (14). Themagnitude of the departure may be predetermined (e.g., configured,preset, etc.), may be based on a severity ascribed to the suspiciontrigger 36, and so on, or combinations thereof. For example, the threatrisk value associated with the suspicion trigger 36 is a positiveinteger value eight (8) in the illustrated example, which may bepredetermined for the suspicion trigger 36 to indicate highly severesecurity activity (e.g., a different finger print pattern, a differentfacial recognition pattern, etc.). Accordingly, the threat risk valueassociated with the suspicion trigger 36 may be added to theaccumulation value 24, which causes the accumulation value 24 to departfrom the suspicion condition value six (6) to the compromised conditionvalue fourteen (14). In addition, the counter maintaining theaccumulation value 24 may be updated to read fourteen (14).

The threat condition for the device 14 may be established based on theaccumulation value 24. In the illustrated example, the threat conditionmay be established as the compromised condition, wherein a transitionacross the threshold value 28 is determined based on the accumulationvalue 24. For example, a transition across the threshold value 28 may bedetermined based on the change in value of the accumulation value 24,based on the final total value of the accumulation value 24, based onthe appearance of the accumulation value 24 in the compromised conditionvalue region, and so on, or combinations thereof. In the illustratedexample, the threat condition is established as the compromisedcondition since the accumulation value 24 has crossed the thresholdvalue 28 and remains in the compromised condition value region. Thecompromised threat condition may indicate, for example, that the device14 may be perceived to be at a relatively high risk of beingcompromised, such as hacked, lost, stolen, and so on, or combinationsthereof.

The compromised threat condition may be managed by defining anoperational mode for the device 14 in response to the suspicious threatcondition. For example, a security action may be performed to define theoperational mode. The security action may include, for example,maintaining the current operational mode, modulating the currentoperational mode, and so on, or combinations thereof. In the illustrateexample, the operational mode is defined as a fully inoperable mode 38.In one example, the partially operational mode 34 may be modulated(e.g., changed) to the fully inoperable mode 38 since the accumulationvalue 24 transitions across the threshold value 28 to establish thecompromised threat condition.

There may be a suspension of a functional capability of the device 14 asa result of the fully inoperable mode 38. For example, a communicationcapability may be suspended, such as restricting a long-distance call,an out-of-carrier call, a data download, a connections to a WiFihotspot, a connection to a Bluetooth device, a connection to atelecommunication carrier, and so on, or combinations thereof. Thedevice usage capability may be suspended, for example, by restrictingaccess to an application (e.g., social media applications, electronicmail applications, etc.), to a file (e.g., music files, image files,video files, contact lists, etc.), to a web site, to a bookmark, to afavorite, to a text message, to a voice mail, to a calendar, and so on,or combinations thereof. The fully inoperable mode 38 may includeenhanced data collection and/or processing (e.g., more frequent samplingwindow, more types of suspicious activities to be included, additionalthreshold values, etc.), and so on, or combinations thereof.

It should be understood that a threat condition may be managed by asecurity action involving any action. The security action may includenotifying another device (e.g., of the owner, etc.) about the threatcondition of the device 14 via an alert. The alert may include, forexample, an electronic mail alert, a text message alert, an instantmessage alert, a telephone call, an image alert, and so on, orcombinations thereof. In one example, a mode-less action (e.g., anaction which may not define and/or change an operational mode) may beperformed when the threshold value 26 is crossed in any direction (e.g.,in a forward direction, a backward direction, etc.), such as forwardingthe alert (e.g., a notification such as a phone message, a photo takenof the current user, etc.) to a home telephone of the owner of thedevice 14, a desktop personal computer of the owner of the device 14, aremote log (e.g., an external log service), and so on, or combinationsthereof. The alert may be forwarded to any further device, such as adevice of a friend of the owner, a family member of the owner, acoworker of the owner, a superior of the owner, based on a status suchas “next of kin”, and so on, or combinations thereof

The destination of the alert may be based on, for example, a list ofcontacts, a list of social media friends, a calendar, a relationshipwith the owner of the device 14, and so on, or combinations thereof. Forexample, the alert may be forwarded to a device of an individualexpected to currently be with the owner based on the calendar, based onfrequent communications with the individual, and so on, or combinationsthereof. The owner may instruct the device 14 to enter and/or remain ina lockdown mode, for example, when the device 14 is lost and/or stolen(e.g., a compromised condition) in response to the alert. The securityaction may also include, for example, awaiting for another triggerbefore taking a further action, such awaiting for another suspicioustrigger, another calming trigger, and so on, or combinations thereof.The security action may involve, for example, prompting the owner for acalming trigger, such as authentication data (e.g., password, fingerprint, etc.).

A calming trigger 40 is encountered in the illustrated example. In oneexample, no request of a security check and/or no prompt may be requiredfor the generation and/or implementation of the calming trigger 40. Forexample, the calming trigger may be automatically generated and/orimplemented when a password is identified, when a facial match isidentified, when a finger print match is identified, when a palm printmatch is identified, when a voice match is identified, when a secureoperation is identified, and so on, or combinations thereof. The secureoperation may include, for example, a secure (e.g., authenticated)instruction to ignore a suspicion trigger, to lower a disappearance timefor the suspicion trigger, to modify a threshold value, to reset anaccumulation value, to delete a log for a trigger, to add a new usagepattern, and so on, or combinations thereof. The calming trigger mayalso be automatically generated and/or implemented when the ownerreverts back to an established pattern, such as the establishedgeospatial travel pattern, the established geospatial location, theestablished application pattern, and so on, or combinations thereof.

The calming trigger 40 includes a reversion risk value to cause theaccumulation value 24 to revert towards a safe condition value (e.g., tothe value zero, to a value in the safe condition value region, to avalue in the suspicious condition value region, to a value in thecompromised condition value region closer to a safe condition value,etc.) from the compromised condition value fourteen (14). The magnitudeof the departure may be predetermined (e.g., configured, preset, etc.),may be based on a severity ascribed to the calming trigger 40, and soon, or combinations thereof. For example, the threat risk valueassociated with the calming trigger 40 is a negative integer valueeleven (11) in the illustrated example, which may be predetermined forthe calming trigger 40 to indicate highly severe calming activity (e.g.,a finger print pattern match, a facial recognition pattern match, etc.).Accordingly, the threat risk value associated with the calming trigger40 may be added to the accumulation value 24, which causes theaccumulation value 24 to revert to the safe condition value three (3)from the compromised condition value fourteen (14). In addition, thecounter maintaining the accumulation value 24 may be updated to readthree (3). Accordingly, a single trigger, such as the calming trigger40, may be sufficient to cross a threshold, such as the thresholdsvalues 26, 28.

The threat condition for the device 14 may be established based on theaccumulation value 24. In the illustrated example, the threat conditionmay be established as the safe condition, wherein a transition acrossthe threshold values 26, 28 is determined based on the accumulationvalue 24. For example, a transition across the threshold values 26, 28may be determined based on the change in value of the accumulation value24, based on the final total value of the accumulation value 24, basedon the appearance of the accumulation value 24 in the safe conditionvalue region, and so on, or combinations thereof. In the illustratedexample, the threat condition is established as the safe condition sincethe accumulation value 24 has crossed the threshold values 26, 28 andremains in the safe condition value region. The safe condition mayindicate, for example, that the device 14 may be perceived to be at arelatively low risk of being compromised, such as hacked, lost, stolen,and so on, or combinations thereof.

The safe threat condition may be managed by defining an operational modefor the device 14 in response to the safe threat condition. For example,a security action may be performed to define the operational mode. Thesecurity action may include, for example, maintaining the currentoperational mode, modulating the current operational mode, and so on, orcombinations thereof. In the illustrate example, the operational mode isdefined as the fully operational mode 20. In one example, the fullyinoperable mode 38 may be modulated (e.g., changed) to the fullyoperable mode 20 since the accumulation value 24 transitions across thethreshold values 28, 26 to establish the safe threat condition.Accordingly, even though the accumulation value 24 may not be reset tothe value zero (0), the current user of the device 14 may still leveragethe full functional capability of the device 14.

It should be understood that a trigger may be used to set anaccumulation value directly to any value independent of its previousvalue. In one example, the calming trigger 40 may set the accumulationvalue 24 directly to, and/or independently of a previous value of theaccumulation value 24, the integer value zero (0) (e.g., a limit value,a minimized value, a maximized value, etc.), for example when a secretPIN number operates as a threat reset and is encountered. Accordingly,entering a predetermined PIN number may calm the device 14 independentlyof its previous state and/or mode. In another example, the suspiciontrigger 32 may set the accumulation value 24 directly to, and/orindependently of a previous value of the accumulation value 24, theinteger value fifteen (15) (e.g., a limit value, a minimized value, amaximized value, etc.), for example when a fingerprint mismatchindicates an extremely serious threat and is encountered. In addition,one or more security actions (e.g., all actions) associated with one ormore threshold values (e.g., all thresholds) crossed may be implementedduring the transition.

In addition, it should be understood that a trigger may be associatedwith a time value, which in order for the trigger to have an effect, thetrigger may persist (e.g., occur) for a time duration (e.g., apredetermined time duration). In one example, a suspicion trigger and/ora calming trigger may occur for a time duration (e.g., including a valueof seconds, minutes, days, etc.) in order for the trigger to have aneffect (e.g., add points, subtract points, jump directly to a threatcondition, set an accumulation value to a particular value such as alimit value, cause a security action, etc.). In another example, asuspicion trigger may disappear for a time duration to prove stabilityinstead of having an immediate calming effect without stability. Forexample, a GPS location may indicate for at least thirty minutes thatthe device 14 is in a normal area/path in which the device 14 usuallytravels before a calming trigger (e.g., the absence of the suspiciontrigger for the time period, the appearance of the calming trigger forthe time period, etc.) may be used to subtract points from theaccumulation value 24.

A user interface (e.g., a graphical user interface, a command lineinterface, etc.) may be utilized to access one or more configurablesettings to manage a threat condition. The settings may include optionsfor a sensor (e.g., a camera, a touchscreen, etc.), for an operationalmode (e.g., fully operational, fully inoperable, etc.), for a riskassessment tool (e.g., a table, a graph, etc.), for a trigger (e.g.,suspicion triggers, calming, triggers, etc.), for a pattern (e.g.,recognition patterns, geospatial travel patterns, communicationpatterns, etc.), for a threat risk value (e.g., relative, numerical,etc.), for an aggregation (e.g., sum, multiplication, etc.), for a riskvalue adjustment and/or modification (e.g., correlations, weightfactors, etc.), for a threshold value (e.g., relative, numerical, etc.),for a risk profile (e.g., device, usage context, usage location, etc.),for a threat condition (e.g., relative, numerical, ranges, crossthresholds, value of the accumulation value, etc.), for a functionalcapability (e.g., limits, suspension, no limits, etc.), for a securityaction (e.g., define operational mode, alert, etc.), to prompt (e.g.,request password, etc.), and so on, or combinations thereof. In oneexample, the owner may iteratively set the operational mode of thedevice 14 to be the fully operational mode 20 by resetting theaccumulation value 24 via the user interface when a friend is utilizingthe device 14, by changing (e.g., modifying, suspending, etc.) thethreshold values 26, 28 via the user interface, by forcing theoperational mode to be the fully operational mode 20, and so on, orcombinations thereof

FIG. 2 shows a logic architecture 212 to manage a threat conditionaccording to an embodiment. In the illustrated example, the logicarchitecture 212 includes a threat condition management logic 241. Theillustrated threat condition management logic 241 includes a riskassessment tool logic 242, which may define a tool to be utilized toassess risk for a device, such as a mobile computing platform. In oneexample, the risk assessment logic 242 may define a database tableincluding any element described herein in any arrangement (e.g.,combinations, locations, etc.). For example, a row and/or a column ofthe table may specify a trigger, a threat risk value, an accumulationvalue, a threshold value, a threat condition, an operational capability,a correlation, a security action, and so on, or combinations thereof. Inanother example, the risk assessment logic 242 may define a scale, suchas a one-dimensional Cartesian coordinate scale, a two-dimensionalCartesian coordinate scale, a three-dimensional Cartesian coordinatescale, a Polar coordinate scale, and so on, or combinations thereof. Thetool may be stored in data storage.

In addition, the tool may be modified. In one example, the tool may bemodified in response to user input data 243 including a setting for atrigger, a threat risk value, a threshold value, a threat condition, anoperational mode, and so on, or combinations thereof. Accordingly, theuser input data 243 may be utilized to preset one or more of a triggerfrom the plurality of triggers, a threat risk value to be associatedwith the trigger, a threat condition for the device, a threshold valueto be associated with the threat condition, a security action to beassociated with the threshold value, and so on, or combinations thereof.The tool (e.g., table, scale, etc.) may also be modified utilizing acounter to update elements (e.g., an accumulation value, etc.) thereof.

The illustrated threat condition management logic 241 includes a triggerlogic 245. In the illustrated example, the trigger logic 245 includes atrigger generation logic 246, which may generate a plurality of triggersover a period of time. For example, the illustrated trigger generationlogic 246 may generate a suspicion trigger, a calming trigger, and soon, or combinations thereof. The suspicion trigger may indicatesuspicious activity for the device. In one example, the suspiciontrigger may be generated in response to a departure from an establishedusage pattern. The established usage pattern (and/or a pattern ofinterest such as a current usage pattern, a usage pattern sampled at aperiod of time of interest, etc.) may be determined utilizing patterndata 244, which may include data from data storage, from a sensor, andso on, or combinations thereof. The established usage pattern (and/orthe pattern of interest) may include one or more of a geospatial travelpattern, a geospatial location pattern, a device handling pattern, acommunication pattern, a short message service pattern, a finger printpattern, a palm print pattern, an application pattern, a music pattern,and so on, or combinations thereof.

The calming trigger may indicate calming activity for the device. Thecalming trigger may be generated based on an encounter of the calmingactivity, such as in response to a reversion towards the establishedpattern. For example, the calming trigger may be generated when thedevice is located in an established geolocation, when the device istraveling in an established travel pattern, when the device is held bythe owner, when the owner responds to a prompt with correct information,and so on, or combinations thereof. The calming trigger may also bebased on a disappearance of the suspicion trigger. The suspicion triggermay, for example, be implemented as the calming trigger if the suspiciontrigger disappears for a preset amount of time to indicate stability forthe device. The plurality of triggers may be generated and/orimplemented silently, synchronously, noninvasively, unintrusively (asdesired), and so on, or combinations thereof.

In the illustrated example, the trigger logic 245 includes a triggeridentification logic 247, which may identify a plurality of triggersover a period of time. For example, the illustrated triggeridentification logic 247 may identify the suspicion trigger, the calmingtrigger, and so on, or combinations thereof. The period of time mayinclude any period of time, such as seconds, minutes, hours, days,weeks, months, years, and so on, or combinations thereof. In theillustrated example, the trigger logic 245 includes a triggercorrelation logic 248, which may determine a correlation among two ormore of the triggers. For example, the illustrated trigger correlationlogic 248 may determine that two or more triggers correlate in temporalscope, in geographic scope, in usage scope, in recognition scope, intype scope, and so on, or combinations thereof. It should be understoodthat the trigger logic 245 may be set and/or modified in response to theuser input data 243 (e.g., via a user interface), which may includeinstructions involving the trigger logic 245.

The illustrated threat condition management logic 241 includes a threatrisk logic 249. The illustrated threat risk logic 249 may define athreat risk value to be associated with a trigger, such as a relativethreat risk value, a numerical threat risk value, and so on, orcombinations thereof. In one example, each trigger in the plurality oftriggers may be associated with a corresponding threat risk value. Inthe illustrated example, the threat risk value logic 249 includes adeparture risk value logic 250, which may define a value causing anaccumulation value to depart from a safe condition value. In theillustrated example, the threat risk value logic 249 includes areversion risk value logic 251, which may define a value causing anaccumulation value to revert towards the safe condition value. It shouldbe understood that the threat risk logic 249 may be set and/or modifiedin response to the user input data 243(e.g., via a user interface),which may include instructions involving the threat risk logic 249.

The illustrated threat condition management logic 241 includes anaccumulation value logic 252. The illustrated accumulation value logic252 may determine an accumulation value, such as a relative accumulationvalue, a numerical accumulation value, and so on, or combinationsthereof. In the illustrated example, the accumulation value logic 252includes an aggregation logic 253, which may aggregate each of thethreat risk values over the period of time. In one example, theaggregation may include a sum, an average, a mean, a maximum, a minimum,first, last, standard deviations, and so on, or combinations thereof. Inthe illustrated example, the accumulation value logic 252 includes acounter logic 254, which may manage a counter for the accumulationvalue. The counter may be maintained, for example, in data storage, datamemory, and so on, or combinations thereof. The counter value logic 254may manage the stored counter by providing a pointer to the counter, byproviding access to the counter, by reading the counter, by writing tothe counter, by resetting the counter to a lower limit value (e.g., aboundary value), by setting the counter to an upper limit value (e.g., aboundary value), and so on, or combinations thereof

In the illustrated example, the accumulation value logic 252 includes anadjustment logic 255, which may adjust the accumulation value. In oneexample, the adjustment logic 255 may adjust the accumulation value byimplementing the threat risk values. For example, the adjustment logic255 may adjust the accumulation value based on the departure risk valuewhich causes the accumulation value to depart from the safe conditionvalue. The adjustment logic 255 may also adjust the accumulation valuebased on the reversion risk value which causes the accumulation value torevert towards the safe condition value. The adjustment logic 255 mayadjust the accumulation value independently of a previous value of theaccumulation value. For example, the adjustment logic 255 may adjust theaccumulation value directly to, and/or independently of a previous valueof the accumulation value, a lower limit value (e.g., a boundary), anupper limit value (e.g., a boundary), and so on, or combinationsthereof.

In another example, the adjustment logic 255 may adjust the accumulationvalue based on a weight factor. For example, the weight factor may bebased on the correlation determined by the trigger correlation logic248, which may be implemented to adjust the accumulation value bymultiplication, division, squaring, cubing, taking a square root, takinga logarithm, and so on, or combinations thereof. Accordingly, a triggermay be implemented based on a presence thereof, based on a valuethereof, and so on, or combinations thereof. It should be understoodthat the accumulation value logic 252 may be set and/or modified inresponse to the user input data 243 (e.g., via a user interface), whichmay include instructions involving the accumulation value logic 252.

The illustrated threat condition management logic 241 includes athreshold logic 256. The illustrated threshold logic 256 includes athreshold value logic 257, which may define a set of progressivethreshold values, such as a relative accumulation value, a numericalaccumulation value, and so on, or combinations thereof. The illustratedthreshold value logic 257 may define a set of threshold values includingthe same units (e.g., points), a set of threshold values which aregraduated, a set of threshold values which are hierarchical, a set ofthreshold values which are successive, and so on, or combinationsthereof. In one example, the threshold value logic 257 may define amoderate threshold value, an elevated threshold value, and so on, orcombinations thereof. The threshold values may be defined based on, forexample, the format of the tool defined by the risk assessment toollogic 242. Accordingly, the moderate threshold value may include thepositive integer value five (5) and the elevated threshold values mayinclude the positive integer value ten (10) when the risk assessmenttool logic 242 defines a one-dimensional Cartesian coordinate scalehaving an increasing security risk in one axis starting at the valuezero (0) and ending at the value fifteen (15).

The illustrated threshold logic 256 includes a threshold modificationlogic 258, which may modify one or more of the threshold values. Theillustrated threshold modification logic 258 may modify one or more ofthe threshold values based on a risk profile, which may account for adevice to be used, a usage context, a usage location, and so on, orcombinations thereof. In addition, the threshold logic 256 may be setand/or modified in response to the user input data 243 (e.g., via a userinterface), such as instructions involving the threshold logic 256. Forexample, the illustrated threshold modification logic 258 may modify oneor more of the threshold values based on the user input data 243including instructions to increase the threshold values, decrease thethreshold values, delete the threshold values, suspend the thresholdvalues, and so on, or combinations thereof. In one example, thethreshold values may be associated with a set of threat conditions.

The illustrated threat condition management logic 241 includes a threatcondition logic 259. The illustrated threat condition logic 259 includesa threat condition value logic 260, which may define a set ofprogressive threat condition values, such as a relative threat conditionvalue, a numerical threat condition value, and so on, or combinationsthereof. The illustrated threat condition value logic 260 may define aset of threat condition values including the same units (e.g., points),a set of threat condition values which are graduated, a set of threatcondition values which are hierarchical, a set of threat conditionvalues which are successive, and so on, or combinations thereof. In oneexample, the threshold value logic 260 may define a safe condition valueregion to indicate a safe condition, a suspicious condition value regionto indicate a suspicious condition, a compromised condition value regionto indicate a compromised condition, and so on, or combinations thereof.Accordingly, a moderate threshold value may separate the safe conditionvalue region and the suspicious condition value region, and an elevatedthreshold value may separate the suspicious condition value region andone or more of a lost condition value region and a stolen conditionvalue region. The threat condition values may be defined based on, forexample, the format of the tool defined by the risk assessment toollogic 242.

The illustrated threat condition logic 259 includes a threat conditionestablishment logic 261, which may establish the threat condition basedon the accumulation value. In one example, the illustrated threatcondition establishment logic 261 may determine a transition across oneor more of the threshold values based on the accumulation value toestablish the threat condition. For example, the threat conditionestablishment logic 261 may establish an absence and/or a presence of atransition across a threshold value based on a change in value of theaccumulation value, based on a final total value of the accumulationvalue, based on an appearance of the accumulation value in a threatcondition value region, and so on, or combinations thereof. In oneexample, the threat condition establishment logic 261 may establish asuspicious threat condition when there has been a transition of theaccumulation value across the moderate threshold value from the safecondition value region to the suspicious condition value region, whenthe accumulation value appears in the safe condition value regions, andso on, or combinations thereof. It should be understood that the threatcondition logic 259 may be set and/or modified in response to the userinput data 243 (e.g., via a user interface), which may includeinstructions involving the threat condition logic 259.

The illustrated threat condition management logic 241 includes a modelogic 262. The illustrated mode logic 262 includes an operational modelogic 263, which may define an operational mode such as a fullyoperational mode, a partially operational mode, a fully inoperable mode,and so on, or combinations thereof. The fully operational mode maydefine that no functional capability of a device is to be limited,suspended, and so on, or combinations thereof. For example, a currentuser may utilize the device to leverage the full functional capabilitiesof the device. The partially operational mode may define that there maybe a limit on a functional capability of a device. In one example, acommunication capability may be limited, a device usage capability maybe limited, and so on, or combinations thereof. The partiallyoperational mode may define that there may be no limit on a functionalcapability of a device, that there may be enhanced data collectionand/or processing (e.g., more frequent sampling window, more types ofsuspicious activities to be included, additional threshold values,etc.), and so on, or combinations thereof. The fully inoperable mode maydefine that there may be a limit and/or a suspension on a functionalcapability of a device. In one example, the communication capability maybe suspended (e.g., totally restricted, totally blocked, etc.), thedevice usage capability may be suspended, and so on, or combinationsthereof. In addition, the fully inoperable mode may define that theremay be enhanced data collection and/or processing (e.g., more frequentsampling window, more types of suspicious activities to be included,additional threshold values, etc.), and so on, or combinations thereof.

In the illustrated example, the mode logic 262 includes a modemodulation logic 264, which may modulate the operational mode of thedevice to manage the threat condition. For example, the illustrated modemodulation logic 264 may implement a security action, such asmaintaining the current operational mode, modulating the currentoperational mode, and so on, or combinations thereof. In one example,the mode modulation logic 264 may maintain a current operational modewhen the threshold value is not crossed, when the threshold value iscrossed (e.g., a moderate threshold value crossed, etc.), and so on, orcombinations thereof. Maintaining the current operational mode mayinclude a security action of awaiting for another trigger before takinga further action, such as awaiting for another suspicious trigger,another calming trigger, and so on, or combinations thereof

In another example, the mode modulation logic 264 may modulate (e.g.,change) a current operational mode when a threshold value is not crossed(e.g., increases in value along a scale without a threshold cross,etc.), may modulate the current operational mode when the thresholdvalue is crossed, and so on, or combinations thereof. It should beunderstood that crossing the threshold value may include reaching thethreshold value, passing the threshold value, and so on, or combinationsthereof. Accordingly, mode logic 264 may automatically lock the deviceand/or disable one or more capabilities of a device, for example, viathe partially operational mode and/or the fully inoperable more when athreshold value is crossed, may await for further triggers via the fullyoperational mode when a threshold value is not crossed, and so on, orcombinations thereof. The mode logic 262 may be set and/or modified inresponse to the user input data 243 (e.g., via a user interface), whichmay include instructions involving the mode logic 262.

The illustrated threat condition management logic 241 includes an alertlogic 208. The alert logic 208 may notify another device (e.g., of theowner) about the threat condition. The alert logic 208 may generate analert including an electronic mail alert, a text message alert, aninstant message alert, a telephone call, an image alert, and so on, orcombinations thereof. In addition, the alert logic 208 may determine thedestination of the alert based on, for example, a list of contacts, alist of social media friends, a calendar, and so on, or combinationsthereof. The alert logic 208 may prompt the owner for data, such as acalming trigger including authentication data (e.g., password, fingerprint, etc.), and so on, or combinations thereof. The alert logic 208may be set and/or modified in response to the user input data 243 (e.g.,via a user interface), which may include instructions involving thealert logic 208.

FIG. 3 shows a method 312 to manage a threat condition according to anembodiment. Illustrated processing block 365 provides for identifying aplurality of triggers over a period of time, wherein each of thetriggers are associated with a threat risk value. In one example, theplurality of triggers may include a suspicion trigger to indicatesuspicious activity for a device and/or a calming trigger to indicatecalming activity for the device. Thus, identifying the plurality oftriggers at the block 365 may correspond to, for example, identifyingthe plurality of triggers (e.g., FIG. 1 and FIG. 2) already discussed.Illustrated processing block 366 provides for determining anaccumulation value based on an aggregation of each threat risk valueover the period of time. In one example, the threat risk value mayinclude a departure risk value causing the accumulation value to departfrom a safe condition value stored in a counter and/or a reversion riskvalue causing the accumulation value to revert towards the safecondition value stored in the counter. Thus, determining theaccumulation value at the block 366 may correspond to, for example,determining the accumulation value (e.g., FIG. 1 and FIG. 2) alreadydiscussed.

Illustrated processing block 367 provides for defining a set ofprogressive threshold values associated with a set of progressive threatconditions. In one example, a threshold value from the set of thresholdvalues may include a moderate threshold value and/or an elevatedthreshold value. In another example, a threshold condition from the setof threat conditions may include a safe condition, a suspiciouscondition, and/or a compromised condition (e.g., a lost condition, astolen condition, etc.). Thus, defining the set of progressive thresholdvalue associated with the set of progressive threat conditions at theblock 367 may correspond to, for example, defining the set ofprogressive threshold value associated with the set of progressivethreat conditions (e.g., FIG. 1 and FIG. 2) already discussed.Illustrated processing block 368 provides for establishing a threatcondition from the set of threat conditions based on the accumulationvalue. In one example, a transition across the threshold value from theset by the accumulation value may be determined to establish the threatcondition. Thus, establishing a threat condition from the set of threatconditions at the block 368 may correspond to, for example, establishinga threat condition from the set of threat conditions (e.g., FIG. 1 andFIG. 2) already discussed.

Illustrated processing block 369 provides for managing the threatcondition in response to the threat condition. In one example, asecurity action associated with a threshold value (and/or a thresholdcondition) may be performed. For example, a security action may involvesending an alert (e.g., a notification). In another example, a securityaction associated with a threshold value (and/or a threshold condition)may be performed to define the operational mode. For example, a currentoperational mode may be maintained when the threshold value is notcrossed and/or the current operational mode may be modulated when thethreshold value is crossed. In a further example, a transition across anelevated threshold value may be determined to establish the lost threatcondition and/or the stolen threat condition based on the accumulationvalue, wherein the security action may include notifying another deviceof (e.g., of an owner of the device) about the threat condition,notifying a device of a friend of the owner about the threat condition,locking the device, disabling one or more capabilities of the device,awaiting for another trigger, and so on, or combinations thereof. Thus,managing the threat condition at the block 369 may correspond to, forexample, managing the threat condition (e.g., FIG. 1 and FIG. 2) alreadydiscussed. It should be understood that the method 312 may include anyfurther processing blocks as desired to manage a threat condition. Forexample, the method 312 may include a processing block to maintain acounter, to determine a correlation, to modify a threshold value, and soon, or combinations thereof

FIG. 4 shows a method 412 to manage a threat condition according to anembodiment. Illustrated processing block 470 may determine a currentaccumulation point value. In one example, the current accumulation pointvalue may be zero (0) if the accumulation point value is reset, if nosuspicion trigger has been identified and zero (0) is a strongest safecondition value, if a device is newly deployed, and so on, orcombinations thereof. In another example, the current accumulation pointvalue may be non-zero (e.g., a positive integer value, a negativeinteger value, etc.) if a trigger has been identified, if the non-zerovalue is set as an initial value, and so on, or combination thereof.Illustrated processing block 471 may hold for a trigger, such assuspicion trigger, a calming trigger, and so on, or combinationsthereof. In addition, the illustrated processing block 471 may identifythe trigger. A determination may be made at block 472 if a trigger is acalming trigger. If not, a determination may be made at block 476 if thetrigger is a suspicion trigger and/or the process may proceed directlyback to the block 471 from the block 472 to hold for another trigger. Ifthe trigger is not a suspicion trigger, the process may proceed back tothe block 471 from the block 476 to hold for another trigger. If thetrigger is a calming trigger, a determination may be made at block 473if the accumulation point value is to be reset back to an initial pointvalue (e.g., zero). If the accumulation point value is not to be reset,illustrated processing block 474 may subtract points from theaccumulation point value if the calming trigger includes a negativepoint value. If the accumulation point value is to be reset, illustratedprocessing block 475 may reset the accumulation point value.

Illustrated processing block 478 may determine a new accumulation pointvalue. In one example, the new accumulation point value may remain zero(0) based on, for example, a format of a risk assessment tool (e.g., aone-dimensional Cartesian scale from safe condition value zero tocompromised condition value fifteen, etc.). For example, the newaccumulation point value may remain zero (0) if zero (0) is a lowerlimit value (e.g., a boundary) of the tool. In another example, the newaccumulation point value may be a negative integer value based on, forexample, the format of a risk assessment tool (e.g., a one-dimensionalCartesian scale including negative safe condition values, etc.). Forexample, the new accumulation point value may be a negative integervalue if a lower limit value (e.g., a boundary) of the tool resides at anegative coordinate, position, angle, and so on, or combinationsthereof.

A determination may be made at the block 476 if a trigger is a suspiciontrigger. If not, a determination may be made at block 472 if the triggeris a calming trigger and/or the process may proceed directly back to theblock 471 to hold for another trigger. If the trigger is not a calmingtrigger, the process may proceed back to the block 471 from the block472 to hold for another trigger. If the trigger is a suspicion trigger,illustrated processing block 477 may add points to the accumulationpoint value if the suspicion trigger includes a positive point value. Itshould be understood that there may be a determination to set theaccumulation point value to an upper limit value (e.g., a boundary) ofthe tool based on the presence of the suspicion trigger, the value ofthe suspicion trigger, and so on, or combinations thereof. Theillustrated processing block 478 may determine the new accumulationpoint value. In one example, the new accumulation point value may be apositive integer value based on the format of a risk assessment tool(e.g., a one-dimensional Cartesian scale from zero to fifteen, etc.).For example, the new accumulation point value may be a positive integervalue if the upper limit value (e.g., a boundary) of the tool resides ata positive coordinate, position, angle, and so on, or combinationsthereof. It should be understood that causing opposite effects via theplurality of triggers (e.g., effects in opposite directions, in oppositesigns, in opposite angles, etc.) may be valuable, and that the integervalues described having opposite signs are for illustration purposes.

A determination may be made at block 479 if a threshold value iscrossed. If not, the process may proceed back to the block 471 to holdfor another trigger. If so, illustrated processing block 480 may take asecurity action. For example, the illustrated processing block 480 maymaintain an operational mode, may modulate a current operation mode, maynotify another device (e.g., of an owner) about the threat condition,may notify a device of a friend of the owner about the threat condition,may lock the device, may disable one or more capabilities of the device,may awaiting for another trigger, may prompt for data, may limit afunctional capability of the device, may suspend a functional capabilityof the device, and so on, or combinations thereof. The method 412 mayproceed back to the block 471 to hold for another trigger, wherein oneor more aspects of the method 471 may be implemented silently,synchronously, noninvasively, unintrusively (as desired), and so on, orcombinations thereof.

FIG. 5 shows a computing device 588 having a processor 590, mass storage592 (e.g., read only memory/ROM, optical disk, flash memory), a networkinterface 594, and system memory 596 (e.g., random access memory/RAM).In the illustrated example, the processor 590 is configured to executelogic 598, wherein the logic 598 may implement one or more aspects ofthe scheme 12 (FIG. 1), the architecture 212 (FIG. 2), the method 312(FIG. 3), and/or the method 412 (FIG. 4), already discussed. Thus, thelogic 598 may manage a threat condition, including identifying aplurality of triggers over a period of time, defining a threat riskvalue, determining a correlation, determining an accumulation value,adjusting an accumulation value, defining a set of progressive thresholdvalues, defining a set of progressive threat conditions, establishing athreat condition based on the accumulation value, defining anoperational mode for a device, and so on, or combinations thereof. Thelogic 598 may also be implemented as a software application that isdistributed among many computers (e.g., local or remote). Thus, while asingle computer could provide the functionality described herein,systems implementing these features can use many interconnectedcomputers (e.g., for scalability as well as modular implementation).

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof code, which comprises one or more executable instructions forimplementing the specified logical function(s). It should also be notedthat, in some alternative implementations, the functions noted in theblock may occur out of the order noted in the figures. For example, twoblocks shown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. It will also be notedthat each block of the block diagrams and/or flowchart illustration, andcombinations of blocks in the block diagrams and/or flowchartillustration, can be implemented by special purpose hardware-basedsystems that perform the specified functions or acts, or combinations ofspecial purpose hardware and computer instructions. In addition, theterms “first”, “second”, etc. may be used herein only to facilitatediscussion, and carry no particular temporal or chronologicalsignificance unless otherwise indicated.

Those skilled in the art will appreciate from the foregoing descriptionthat the broad techniques of the embodiments of the present inventioncan be implemented in a variety of forms. Therefore, while theembodiments of this invention have been described in connection withparticular examples thereof, the true scope of the embodiments of theinvention should not be so limited since other modifications will becomeapparent to the skilled practitioner upon a study of the drawings,specification, and following claims.

1. An apparatus comprising a processor to: identify a plurality oftriggers including a suspicion trigger to indicate suspicious activityfor a device and a calming trigger to indicate calming activity for thedevice; determine an accumulation value based on an aggregation of eachsuspicion trigger and each calming trigger over a period of time;establish a threat condition based on the accumulation value; and definean operational mode for the device to manager the threat condition. 2.The apparatus of claim 1, wherein the processor is to generate thesuspicion trigger and the calming trigger absent a security request anda security prompt.
 3. The apparatus of claim 1, wherein the processor isto generate the suspicion trigger after a preset amount of time that isto indicate persistence of unusual usage of the device.
 4. The apparatusof claim 1, wherein the processor is to: generate the suspicion triggerin response to a departure from an established usage pattern that is toindicate unusual usage of the device; and generate the calming triggerin response to a reversion towards an established usage pattern that isto indicate usual usage of the device.
 5. The apparatus of claim 1,wherein the processor is to generate the calming trigger based on adisappearance of the suspicion trigger.
 6. The apparatus of claim 1,wherein the processor is to: collect data silently that is to indicate adeparture from an established usage pattern; and forward the dataunintrusively to one or more of another device of an owner of thedevice, a device of a designated person, and a device of a designatedorganization.
 7. The apparatus of claim 1, wherein the processor is to:determine a correlation among two or more of the triggers; and apply aweight factor to the accumulation value based on the correlation.
 8. Acomputer program product comprising: a computer readable storage medium;and computer usable code stored on the computer readable storage medium,where, if executed by a processor, the computer usable code causes acomputer to: identify a plurality of triggers including a suspiciontrigger to indicate suspicious activity for a device and a calmingtrigger to indicate calming activity for the device; determine anaccumulation value based on an aggregation of each suspicion trigger andeach calming trigger over a period of time; establish a threat conditionbased on the accumulation value; and define an operational mode for thedevice to manager the threat condition.
 9. The computer program productof claim 8, wherein the computer usable code, if executed, furthercauses a computer to generate the suspicion trigger and the calmingtrigger absent a security request and a security prompt.
 10. Thecomputer program product of claim 8, wherein the computer usable code,if executed, further causes a computer to generate the suspicion triggerafter a preset amount of time that is to indicate persistence of unusualusage of the device.
 11. The computer program product of claim 8,wherein the computer usable code, if executed, further causes a computerto generate the suspicion trigger in response to a departure from anestablished usage pattern that is to indicate unusual usage of thedevice, wherein the established usage pattern is to include a geospatialtravel pattern, a geospatial location pattern, a device handlingpattern, a communication pattern, an audio pattern, and a userrecognition pattern.
 12. The computer program product of claim 8,wherein the computer usable code, if executed, further causes a computerto generate the calming trigger in response to a reversion towards anestablished usage pattern that is to indicate usual usage of the device.13. The computer program product of claim 8, wherein the computer usablecode, if executed, further causes a computer to generate the calmingtrigger based on a disappearance of the suspicion trigger.
 14. Thecomputer program product of claim 8, wherein the computer usable code,if executed, further causes a computer to: collect data silently that isto indicate a departure from an established usage pattern; and forwardthe data unintrusively to one or more of another device of an owner ofthe device, a device of a designated person, and a device of adesignated organization.
 15. The computer program product of claim 14,wherein the computer usable code, if executed, further causes a computerto forward the data to the designated person based on one or more of alist of contacts, a list of social media friends, a relationship, and acalendar for an authorized user of the device, wherein the designatedperson is to include an individual that is in a meeting with theauthorized user of the device to be identified using the calendar, andwherein the organization is to include a law enforcement agency.
 16. Thecomputer program product of claim 8, wherein the computer usable code,if executed, further causes a computer to: determine a correlation amongtwo or more of the triggers; and apply a weight factor to theaccumulation value based on the correlation.
 17. The computer programproduct of claim 8, wherein the computer usable code, if executed,further causes a computer establish the threat condition based on a riskprofile, wherein the risk profile is to account for one or more of adevice to be used, a usage context, and a usage location.
 18. A methodcomprising: identifying a plurality of triggers including a suspiciontrigger to indicate suspicious activity for a device and a calmingtrigger to indicate calming activity for the device; determining anaccumulation value based on an aggregation of each suspicion trigger andeach calming trigger over a period of time; establishing a threatcondition based on the accumulation value; and defining an operationalmode for the device to manager the threat condition.
 19. The method ofclaim 18, further including generating the suspicion trigger and thecalming trigger absent a security request and a security prompt.
 20. Themethod of claim 18, further including: generating the suspicion triggerin response to a departure from an established usage pattern that is toindicate unusual usage of the device; and generating the calming triggerin response to a reversion towards an established usage pattern that isto indicate usual usage of the device.